For Better Security, Keep Password Policies Simple

Let's start with an experiment: Count how many passwords you enter into web services each day for your personal use. You probably rattle off a list of passwords for email accounts, social networks, utility payment sites, and any number of fringe applications. Then think about all the passwords you need for your job. How many more is it? One? Four? Ten?

Passwords are a fact of life in the digital age, and despite many tech pundits calling for their elimination over the past few years -- most recently after the Heartbleed worm exposed flaws in the OpenSSL protocol that many sites use to transmit user name and password information -- the number of passwords that a person uses at home and at work reaches into the dozens. Enterprises -- including insurance companies -- are finding that this leads to poor habits around password composition and choice.

"The more passwords you have, the more people will use simple or insecure ones, or write them down or use the same ones across multiple sites," says Thomas Dunbar, chief information risk officer for P&C carrier XL Group (Dublin; $238.6 million in first-quarter 2014 income). "That drops down your level of security."

The solution for XL Group comes in the form of federated single sign-on for many of the company's systems. The insurer first implemented what it called "simplified sign-on" about five years ago, Dunbar says, when employees had up to two dozen passwords to remember for enterprise functions. Simplified sign-on brought that down to three or four total passwords per employee.

The Integration Sticking Point

But the technology behind single sign-on has improved over the past few years to address one of the sticking points of implementing such a platform: the problems of integrating new technologies. Single sign-on was so popular with XL Group employees, Dunbar reports, that any time something that didn't fit into the framework was introduced, employees would complain.

"A lot of what XL focuses on when using computers is the colleague experience," he says. "We get a lot of feedback if we give them something that's not under the single sign-on."

With single sign-on in place, looking for technology solutions that are compatible with the system via federated sign-on is "a priority any time we look for a new system," Dunbar says. In a coincidental twist, one recent implementation that used federated sign-on was Security Mentor, a training system vendor that provides online cyber-security-awareness training for XL Group employees. The training sessions, which cover such topics as phishing, mobile security, and password best practices, are accessible via XL Group's federated sign-on, a move that was crucial to ensuring that employees completed the training courses.

"We recommend single sign-on as a way for organizations to connect with us to provide training," says Marie White, Security Mentor's founder, president, and CEO. "We're finding that employers want to make access to their staff as easy as possible, want to make it seamless, and the easier you make it, that's one less barrier for training."

Further, in its role as security expert, Security Mentor recommends single sign-on as an overall way to improve the security habits of large enterprises' employees. Phishing attacks -- especially "spear phishing" attacks that target specific high-risk or high-value individuals in an attempt to gain their passwords -- make good password habits even more important.

"Obviously the Target data breach has brought a lot of attention to the need for end-user data security," White says. "We did a research report with Enterprise Management Associates and found that 33% of the employees surveyed said they use the same password for work and personal devices. If they reuse passwords, they can be breached on many accounts."

That's where the combination of training and technology around single sign-on does the most work in making enterprises more secure. Through programs such as Security Mentor's and its own training initiatives, XL Group and other insurers that choose to go the single sign-on route have plenty of teachable moments to help ensure that those single passwords are as secure as possible. With only one password framework to maintain, carriers can establish strict password expiration rules and easily remove from the system users who have left the company, XL Group's Dunbar says.

"We do password testing on a periodic basis, and if someone leaves the organization, removing their access is easy even for external applications," he says.

Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio